MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3fa2e6dfee9d9ab9ddd0f5ee6f177f25d38ef63740d024506dc68c28413be2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3fa2e6dfee9d9ab9ddd0f5ee6f177f25d38ef63740d024506dc68c28413be2d
SHA3-384 hash: 4f6e4263419fe3a3f3de9fd681e30ca748bf3fd9efaa52ddeb6cbe67f524475ad10cbab43217228ec268517c1b65ce96
SHA1 hash: c27b034154e9c06ecf92dbf6a6d325b5a1d9f686
MD5 hash: 0977250e9480b76a1b175d79a4800961
humanhash: kansas-march-sweet-lactose
File name:mips
Download: download sample
Signature Gafgyt
Create hunting rule
File size:86'232 bytes
First seen:2026-01-23 02:33:25 UTC
Last seen:2026-01-23 11:53:55 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:usDu+f6u6vMJmAHsb36Qkh1Mhe+BEmbF5ruK:1y3db3I1M9bFBuK
TLSH T17683965E6E21DFADF7A882354BB74E31979833D623D1C685E26CD5002F6034E641FBA8
telfhash t108214c08893813f09bb60ded67edfe76d45170ef46256e378d00f9a9aa2dd425d01c2c
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
mirai
Link:
https://www.filescan.io/uploads/6972ddf8f3c1b7b1fbdacf4f/reports/15f8368b-059c-48f0-bd8f-14f61b207753/overview
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
true
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
79
Number of processes launched:
7
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/b3fa2e6dfee9d9ab9ddd0f5ee6f177f25d38ef63740d024506dc68c28413be2d
Behaviour
Anti-VM
Persistence
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-01-23T00:50:00Z UTC
Last seen:
2026-01-24T12:59:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/b3fa2e6dfee9d9ab9ddd0f5ee6f177f25d38ef63740d024506dc68c28413be2d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/6292f8f3-73d5-4344-95e9-96f63ea0dbf2
Behavior Graph:
Download SVG
%3 guuid=20929d00-1700-0000-38bf-bb1c2d0e0000 pid=3629 /usr/bin/sudo guuid=fb118403-1700-0000-38bf-bb1c350e0000 pid=3637 /tmp/sample.bin guuid=20929d00-1700-0000-38bf-bb1c2d0e0000 pid=3629->guuid=fb118403-1700-0000-38bf-bb1c350e0000 pid=3637 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/50881692-aafe-4dc6-bbb3-7b00cc0b8b2d
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1856133
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1856133 Sample: mips.elf Startdate: 23/01/2026 Architecture: LINUX Score: 72 77 178.225.159.42, 61357 TMO-NL-ASNL Netherlands 2->77 79 205.44.135.234, 46072 NTT-COMMUNICATIONS-2914US United States 2->79 81 25 other IPs or domains 2->81 85 Antivirus / Scanner detection for submitted sample 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 Connects to many ports of the same IP (likely port scanning) 2->89 11 systemd gdm3 2->11         started        13 systemd gpu-manager 2->13         started        15 systemd accounts-daemon 2->15         started        18 23 other processes 2->18 signatures3 process4 file5 21 gdm3 gdm-session-worker 11->21         started        23 gdm3 plymouth 11->23         started        33 2 other processes 11->33 25 gpu-manager sh 13->25         started        27 gpu-manager sh 13->27         started        29 gpu-manager sh 13->29         started        35 5 other processes 13->35 93 Reads system files that contain records of logged in users 15->93 31 accounts-daemon language-validate 15->31         started        75 /var/log/wtmp, data 18->75 dropped 95 Sample tries to kill multiple processes (SIGKILL) 18->95 97 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->97 37 6 other processes 18->37 signatures6 process7 process8 39 gdm-session-worker gdm-wayland-session 21->39         started        41 sh grep 25->41         started        43 sh grep 27->43         started        45 sh grep 29->45         started        47 language-validate language-options 31->47         started        49 sh grep 35->49         started        51 sh grep 35->51         started        53 sh grep 35->53         started        55 2 other processes 35->55 process9 57 gdm-wayland-session dbus-run-session 39->57         started        59 gdm-wayland-session dbus-daemon 39->59         started        62 language-options sh 47->62         started        signatures10 64 dbus-run-session dbus-daemon 57->64         started        91 Sample reads /proc/mounts (often used for finding a writable filesystem) 59->91 67 dbus-daemon 59->67         started        69 sh locale 62->69         started        71 sh grep 62->71         started        process11 signatures12 83 Sample reads /proc/mounts (often used for finding a writable filesystem) 64->83 73 dbus-daemon false 67->73         started        process13
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/b3fa2e6dfee9d9ab9ddd0f5ee6f177f25d38ef63740d024506dc68c28413be2d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3fa2e6dfee9d9ab9ddd0f5ee6f177f25d38ef63740d024506dc68c28413be2d/
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2026-01-23 02:34:29 UTC
File Type:
ELF32 Big (Exe)
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wp5c43p65hm2xho5b5pon4lx6jotr33doqgqerig3rumfbatxywq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/260123-c14b6aey4b/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Creates/modifies Cron job
Enumerates running processes
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b3fa2e6dfee9d9ab9ddd0f5ee6f177f25d38ef63740d024506dc68c28413be2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf b3fa2e6dfee9d9ab9ddd0f5ee6f177f25d38ef63740d024506dc68c28413be2d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3745419/
  
Delivery method
Distributed via web download

Comments